@soulbatical/tetra-dev-toolkit 1.20.11 → 1.20.13

package/lib/templates/tests/05-security.test.ts.tmpl

@@ -0,0 +1,82 @@
+/**
+ * Security E2E tests — input validation, injection prevention, error handling.
+ * Tetra golden standard — tests beyond auth walls.
+ *
+ * CUSTOMIZE: Update endpoints and payloads for your project.
+ */
+import { describe, it, expect, beforeAll } from 'vitest';
+import { get, post, del, api } from './helpers/api-client';
+import { getTestContext, type TestContext } from './helpers/test-users';
+
+let ctx: TestContext;
+
+beforeAll(async () => {
+  ctx = await getTestContext();
+}, 60000);
+
+/* ---------- Input validation ---------- */
+
+describe('Security: Input validation', () => {
+  // CUSTOMIZE: Use your project's main create endpoint
+  const createEndpoint = '/api/resources'; // TODO: change this
+
+  it('rejects SQL injection in query params', async () => {
+    const res = await get<any>(
+      `${createEndpoint}?search='; DROP TABLE users; --`,
+      ctx.admin.token
+    );
+    // Should not crash — return 200 with empty results or 400
+    expect([200, 400]).toContain(res.status);
+  });
+
+  it('rejects XSS in create body', async () => {
+    const res = await post<any>(createEndpoint, {
+      name: '<script>alert("xss")</script>',
+    }, ctx.admin.token);
+    // Should create (and sanitize on render) or reject — never 500
+    expect(res.status).toBeLessThan(500);
+  });
+
+  it('handles oversized field values', async () => {
+    const res = await post<any>(createEndpoint, {
+      name: 'x'.repeat(10000),
+    }, ctx.admin.token);
+    // Should reject with 400/422, never 500
+    expect(res.status).toBeLessThan(500);
+  });
+});
+
+/* ---------- Error handling ---------- */
+
+describe('Security: Error handling', () => {
+  it('401 does not leak stack traces', async () => {
+    const res = await get<any>('/api/admin/users');
+    expect(res.status).toBe(401);
+    const body = JSON.stringify(res.data);
+    expect(body).not.toContain('node_modules');
+    expect(body).not.toContain('.ts:');
+    expect(body).not.toContain('at Object.');
+  });
+
+  it('404 for unknown route does not leak internals', async () => {
+    const res = await get<any>('/api/nonexistent-e2e-route', ctx.admin.token);
+    expect(res.status).toBeGreaterThanOrEqual(400);
+    const body = JSON.stringify(res.data);
+    expect(body).not.toContain('node_modules');
+  });
+});
+
+/* ---------- CORS ---------- */
+
+describe('Security: CORS', () => {
+  it('OPTIONS request does not return 500', async () => {
+    const res = await api('/api/health', {
+      method: 'OPTIONS',
+      headers: {
+        'Origin': 'https://example.com',
+        'Access-Control-Request-Method': 'GET',
+      },
+    });
+    expect(res.status).toBeLessThan(500);
+  });
+});

package/lib/templates/tests/global-setup.ts.tmpl

@@ -0,0 +1,73 @@
+/**
+ * Global setup — logs in ONCE and writes tokens to a temp file.
+ * Test workers read from this file instead of logging in separately.
+ *
+ * PREREQUISITES:
+ *   1. Backend running (npm run dev or npm run dev:local)
+ *   2. Test user exists in database (seed or manual create)
+ *   3. Set E2E_BASE_URL, E2E_ADMIN_EMAIL, E2E_PASSWORD (via env or Doppler)
+ */
+
+import { writeFileSync, unlinkSync } from 'fs';
+import { join } from 'path';
+
+const BASE_URL = process.env.E2E_BASE_URL || 'http://localhost:3003';
+const EMAIL = process.env.E2E_ADMIN_EMAIL || 'e2e-admin@example.com';
+const PASSWORD = process.env.E2E_PASSWORD || 'TestPass1234';
+const TEST_KEY = process.env.RATE_LIMIT_BYPASS_KEY || '';
+
+export const TOKEN_FILE = join(__dirname, '.e2e-tokens.json');
+
+async function apiPost(path: string, body: Record<string, unknown>) {
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+  if (TEST_KEY) {
+    headers['X-Test-Key'] = TEST_KEY;
+  }
+
+  const res = await fetch(`${BASE_URL}${path}`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(body),
+  });
+
+  const data = await res.json() as any;
+  return { status: res.status, data };
+}
+
+export async function setup() {
+  const loginRes = await apiPost('/api/public/auth/login', {
+    email: EMAIL,
+    password: PASSWORD,
+  });
+
+  const accessToken = loginRes.data?.data?.accessToken
+    || loginRes.data?.data?.access_token;
+  const refreshToken = loginRes.data?.data?.refreshToken
+    || loginRes.data?.data?.refresh_token;
+
+  if (!accessToken) {
+    console.error('\n  ❌ Admin login failed:', loginRes.status, JSON.stringify(loginRes.data));
+    console.error('  Prerequisites:');
+    console.error(`    1. Backend running on ${BASE_URL}`);
+    console.error(`    2. Test user ${EMAIL} exists in database`);
+    console.error('    3. Set E2E_ADMIN_EMAIL + E2E_PASSWORD env vars\n');
+    throw new Error(`Admin login failed (${loginRes.status}). Ensure ${EMAIL} exists.`);
+  }
+
+  const tokens = {
+    id: loginRes.data.data.user?.id,
+    email: EMAIL,
+    token: accessToken,
+    refreshToken: refreshToken,
+    organizationId: loginRes.data.data.user?.active_organization_id,
+  };
+
+  writeFileSync(TOKEN_FILE, JSON.stringify(tokens));
+  console.log(`\n  E2E setup: logged in as ${EMAIL} (id: ${tokens.id})\n`);
+}
+
+export async function teardown() {
+  try { unlinkSync(TOKEN_FILE); } catch {}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.20.11",
+  "version": "1.20.13",
   "publishConfig": {
     "access": "restricted"
   },
@@ -39,7 +39,8 @@
     "tetra-check-peers": "./bin/tetra-check-peers.js",
     "tetra-security-gate": "./bin/tetra-security-gate.js",
     "tetra-smoke": "./bin/tetra-smoke.js",
-    "tetra-init-tests": "./bin/tetra-init-tests.js"
+    "tetra-init-tests": "./bin/tetra-init-tests.js",
+    "tetra-test-audit": "./bin/tetra-test-audit.js"
   },
   "files": [
     "bin/",

package/lib/templates/tests/07-security.test.ts.tmpl

@@ -1,93 +0,0 @@
-/**
- * Security E2E tests — auth walls + role-based access.
- * Tetra golden standard — auto-reads protected routes from project config.
- *
- * CUSTOMIZE: Update protectedRoutes and role access tests for your project.
- */
-import { describe, it, expect, beforeAll } from 'vitest';
-import { get, post, del, api } from './helpers/api-client';
-import { getTestContext, type TestContext } from './helpers/test-users';
-
-let ctx: TestContext;
-
-beforeAll(async () => {
-  ctx = await getTestContext();
-}, 60000);
-
-// ── Auth walls: all protected routes require token ────────────
-// CUSTOMIZE: add all your protected API routes here
-
-const protectedRoutes = [
-  '/api/tracks',
-  '/api/users',
-  '/api/admin/dashboard',
-  '/api/permissions/my',
-  // Add project-specific routes below:
-];
-
-describe('Security: Auth walls', () => {
-  for (const route of protectedRoutes) {
-    it(`${route} returns 401 without auth`, async () => {
-      const res = await get(route);
-      expect(res.status).toBe(401);
-    });
-  }
-});
-
-describe('Security: Invalid tokens', () => {
-  it('rejects malformed JWT', async () => {
-    const res = await get('/api/tracks', 'eyJhbGciOiJIUzI1NiJ9.fake.fake');
-    expect(res.status).toBe(401);
-  });
-
-  it('rejects empty Authorization header', async () => {
-    const res = await api('/api/tracks', { headers: { 'Authorization': '' } });
-    expect(res.status).toBe(401);
-  });
-});
-
-// ── Role-based access ─────────────────────────────────────────
-// CUSTOMIZE: update for your project's roles and admin endpoints
-
-describe('Security: Basic user cannot access admin endpoints', () => {
-  it('basic CANNOT access /api/admin/dashboard', async () => {
-    const res = await get('/api/admin/dashboard', ctx.basic.token);
-    expect(res.status).toBe(403);
-  });
-
-  it('basic CANNOT list users', async () => {
-    const res = await get('/api/users', ctx.basic.token);
-    expect(res.status).toBe(403);
-  });
-
-  it('basic CANNOT delete another user', async () => {
-    const res = await del(`/api/users/${ctx.admin.id}`, ctx.basic.token);
-    expect(res.status).toBe(403);
-  });
-});
-
-describe('Security: Elevated user cannot access admin-only endpoints', () => {
-  it('elevated CANNOT access /api/admin/dashboard', async () => {
-    const res = await get('/api/admin/dashboard', ctx.elevated.token);
-    expect(res.status).toBe(403);
-  });
-
-  it('elevated CANNOT delete another user', async () => {
-    const res = await del(`/api/users/${ctx.admin.id}`, ctx.elevated.token);
-    expect(res.status).toBe(403);
-  });
-});
-
-// ── Public routes: accessible without auth ────────────────────
-
-describe('Security: Public routes', () => {
-  it('/api/health is public', async () => {
-    const res = await get('/api/health');
-    expect(res.status).toBe(200);
-  });
-
-  it('/api/version is public', async () => {
-    const res = await get('/api/version');
-    expect(res.status).toBe(200);
-  });
-});